Openfire SSO Problem - Authorization failed

Roman_Vins · April 30, 2015, 9:37am

Hello,

I am writting you due to our recent problems with Openfire. Everything went well till last month. Openfire is running but Miranda clients are no longer able to connect to Openfire. It says that Authorization Failed. We are running in Windows environment using SSO. We had version 3.8.2, also tried with 3.10 - same problem. When I remove system properties for SSO, I can login manually with my AD credentials. Openfire log shows this but I am not sure that it is the problem, my colleague says he has seen that before:

Openfire Log
2015.04.29 15:29:48 org.jivesoftware.openfire.handler.IQHandler - Internal server error

java.lang.IllegalArgumentException: The input is not a valid JID resource:

at org.xmpp.packet.JID.resourceprep(JID.java:421)

at org.jivesoftware.openfire.handler.IQAuthHandler.login(IQAuthHandler.java:247)

at org.jivesoftware.openfire.handler.IQAuthHandler.handleIQ(IQAuthHandler.java:190 )

at org.jivesoftware.openfire.handler.IQHandler.process(IQHandler.java:65)

at org.jivesoftware.openfire.IQRouter.handle(IQRouter.java:380)

at org.jivesoftware.openfire.IQRouter.route(IQRouter.java:123)

at org.jivesoftware.openfire.spi.PacketRouterImpl.route(PacketRouterImpl.java:76)

at org.jivesoftware.openfire.net.StanzaHandler.processIQ(StanzaHandler.java:330)

at org.jivesoftware.openfire.net.ClientStanzaHandler.processIQ(ClientStanzaHandler .java:93)

at org.jivesoftware.openfire.net.StanzaHandler.process(StanzaHandler.java:295)

at org.jivesoftware.openfire.net.StanzaHandler.process(StanzaHandler.java:187)

at org.jivesoftware.openfire.nio.ConnectionHandler.messageReceived(ConnectionHandl er.java:189)

Our gss.conf looks like this:

gss.conf
com.sun.security.jgss.accept {

com.sun.security.auth.module.Krb5LoginModule

required

storeKey=true

keyTab=“C:/Program Files (x86)/Openfire/resources/xmpp.keytab”

doNotPrompt=true

useKeyTab=true

realm=“CFME.LOCAL”

principal=xmpp/zlababa.cfme.local@CFME.LOCAL

debug=true;

};

and our System Properties are:

System Properties
sasl.gssapi.config C:\Program Files (x86)\Openfire\conf\gss.conf
sasl.gssapi.debug false
sasl.gssapi.useSubjectCredsOnly false
sasl.mechs GSSAPI
sasl.realm CFME.LOCAL

We have changed nothing, I wonder if it can be caused by Windows Updates. If I can provide any more information, please just let me know.

Thank you very much!

speedy · April 30, 2015, 4:00pm

what version of java are you using with openfire? does miranda use java too? if so, what version of java?

Thanks

Roman_Vins · May 4, 2015, 12:44pm

Hello,

sorry for late answer. We had holidays. Miranda does not use Java. Web interface of Openfire says 1.7.0_76 Oracle Corporation – Java HotSpot™ Client VM

speedy · May 5, 2015, 3:01pm

I would first try another client, to rule out it being a miranda issue. try spark 2.7

Roman_Vins · May 6, 2015, 11:10am

Hello,

so I tried Spark but with no success with SSO

speedy · May 6, 2015, 1:38pm

It could be a number of things. has your domain level changed? new DC? is DNS working ok? did you verify your krb5.ini files? Make sure you SPN account used isn’t locked out. Maybe regen your keytab file.

Roman_Vins · May 7, 2015, 9:36am

That is the problem. Nothing has changed. Same domain level, no new DC. DNS is working properly. For ensure I am posting krb5.ini:

[libdefaults]

default_realm = CFME.LOCAL

noaddresses = true

[realms]

CFME.LOCAL = {

kdc = server.cfme.local

default_domain = cfme.local

}

I am thinking… could be a problem with more IP addresses? Because there is IIS with IP address for SSL web? But DNS is set up correctly